Hi,
I'm trying to get a system to run clean (no errors). The only application
running through this system (as a router/firewall) is ftp (20 at a time).
The "bad nat" counter increments about 100/hour while handling about 130,000
sessions/hour.
Q: What makes "bad nat" increment? What can I change on my system to keep
this from happening?
Running netbsd-5 (5.0_RC1) and ipfilter:
hal# ipf -V
ipf: IP Filter: v4.1.29 (396)
Kernel: IP Filter: v4.1.29
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x10e
hal#
hal# cat /etc/ipnat.conf
map vlan666 10.1.0.0/16 -> 5.10.0.1/32 proxy port ftp ftp/tcp
map vlan666 10.1.0.0/16 -> 5.10.0.1/32 portmap tcp/udp 40000:60000
map vlan666 10.1.0.0/16 -> 5.10.0.1/32
hal#
The kernel config on "hal" is GENERIC plus:
options KMEMSTATS
options NMBCLUSTERS=131070
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG
options IPSEC_NAT_T
options GATEWAY
options VERIFIED_EXEC
options ALTQ
options ALTQ_BLUE
options ALTQ_CBQ
options ALTQ_CDNR
options ALTQ_FIFOQ
options ALTQ_FLOWVALVE
options ALTQ_HFSC
options ALTQ_LOCALQ
options ALTQ_PRIQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_WFQ
options SHMMAXPGS=8192
options MSGMNB=16384
options MSGSSZ=64
options MSGTQL=512
[client]--->[hal]---->[server]
^nat
There are no errors on the interface.
hal# ipnat -s
mapped in 10452681 out 13281342
added 166667 expired 1240
no memory 0 bad nat 171
inuse 4147
orphans 0
rules 3
wilds 1
hash efficiency 22.09%
bucket usage 44.75%
minimal length 0
maximal length 15
average length 4.527
TCP Entries per state
0 1 2 3 4 5 6 7 8 9 10 11
1 1 0 0 18 0 0 0 0 0 4127 0
hal#
Thanks,
peter
